Engineering
Flow sources are now self-serve: router-level visibility in minutes
Adding sFlow, NetFlow, or IPFIX ingestion from your routers is now self-serve, billed per source, with no sale...
11 min read →Blog
Attack postmortems.
Engineering deep-dives.
Practical guides from engineers who've been DDoS'd and learned from it.
All
Post-Mortem
Attack Analysis
Original Research
Engineering
Forensics
Integrations
Mitigations
Fundamentals
Tools
Comparisons
Engineering
Why Flowtriq uses percentile-based baselines, not averages
Static thresholds false-alarm and averages get skewed by spikes. Flowtriq sets detection thresholds from the 99th percentile of a 300-sample rolling window, with no manual tuning.
Engineering
Cloud-native DDoS attacks targeting Kubernetes: the 2026 threat landscape
Yo-yo autoscaling attacks, token theft, and L7 floods targeting K8s workloads increased 312% in Q1 2026. Detec...
14 min read →Engineering
AI-powered DDoS: how attackers use machine learning to evade detection
Attackers use ML to rotate vectors mid-flood, mimic legitimate traffic, and auto-tune rates below thresholds. ...
14 min read →Engineering
DDoS protection for multi-cloud and hybrid infrastructure
Each cloud has its own DDoS tool but none see the full picture. The visibility gap, cost problem, and why unif...
13 min read →Engineering
BGP hijacking as a DDoS vector: route leaks, prefix hijacks, and traffic blackholes
How BGP hijacking causes denial of service, real-world examples, RPKI defense, and the connection between BGP ...
14 min read →Engineering
What happens when DDoS detection takes minutes instead of seconds
A side-by-side walkthrough of infrastructure during a volumetric attack: what is happening at T+1s, T+30s, T+5...
12 min read →Engineering
Why your DDoS scrubbing provider needs a detection layer in front of it
Cloud scrubbing is reactive: it absorbs traffic after your link saturates. A detection layer triggers scrubbin...
11 min read →Engineering
How Flowtriq actually works when you're under attack
Flowtriq's protection doesn't depend on your server staying online. Here's exactly how the agent, data pipelin...
9 min read →Engineering
From flow ingestion to BGP mitigation: how Flowtriq detects and stops DDoS attacks
How Flowtriq ingests sFlow, NetFlow, and IPFIX, merges flow data with kernel metrics for sub-second detection,...
22 min read →Engineering
Real-time DDoS detection at scale
How Flowtriq detects attacks in under 2 seconds using per-second traffic analysis....
13 min read →Engineering
BGP mitigation and DDoS automation: how Flowtriq orchestrates multi-layer defense
A technical deep dive into Flowtriq's detection and mitigation engine: native sFlow/NetFlow/IPFIX flow ingesti...
15 min read →Engineering
DDoS detection reality check: what most engineers get wrong
Most engineers make critical mistakes when evaluating DDoS detection solutions. Learn the technical realities ...
10 min read →Engineering
Why traditional DDoS solutions fail: a technical comparison
Discover the technical limitations of legacy DDoS protection and why modern approaches outperform traditional ...
12 min read →Engineering
The blind spots of NetFlow-only DDoS detection
Sampling rates, export intervals, and missing protocol context create systematic gaps in flow-based DDoS detec...
13 min read →Engineering
Real-time DDoS protection: why every second counts
Detection speed is the single most important variable in DDoS defense. Why the gap between 1-second and 60-sec...
12 min read →Engineering
How to eliminate DDoS false positives without missing real attacks
Dynamic baselines, per-protocol classification, attack fingerprinting, and maintenance windows: the techniques...
11 min read →Engineering
NetFlow vs sFlow vs packet inspection for DDoS detection
A practical comparison of the three main traffic analysis methods for DDoS detection. Sampling rates, detectio...
14 min read →Engineering
Setting up DDoS alerting for 1, 10, 50, and 500 servers
How alerting architecture changes as your infrastructure grows. From single-server thresholds to fleet-wide an...
13 min read →Engineering
What 47,000 PPS looks like in /proc/net/snmp
A real walkthrough of kernel counters during a high-PPS attack: how to read them, what they mean, and how to b...
7 min read →Engineering
Setting up DDoS alerting for a 50-server game hosting cluster
Game servers have unique traffic profiles that make generic alerting useless. How to tune per-game thresholds ...
9 min read →Engineering
Flowtriq at scale: what we learned monitoring 1M+ endpoints
Attack patterns, false positive causes, time-of-day trends, and detection engine changes after analyzing milli...
10 min read →Engineering
Why static thresholds fail and what we use instead
Setting a fixed PPS threshold sounds simple until you have game servers that spike 10x on a new patch day. We ...
5 min read →Engineering
What Happens When Your DDoS Detection Has No API
Without a DDoS detection API, every integration is a custom script, every automation is fragile, and every wor...
10 min read →Engineering
How to Auto-Rollback DDoS Mitigation When It Causes Collateral Damage
A mitigation rule that blocks an attack but also drops legitimate traffic is worse than no mitigation. Here is...
12 min read →Engineering
How to Migrate from CLI-Based DDoS Detection to a Web Dashboard
Moving from a CLI-only DDoS tool to a web dashboard does not mean starting over. How to plan the migration, ru...
10 min read →Newsletter
Attack analysis in your inbox
One email a month. Real attack postmortems, detection techniques, and engineering insights. No marketing fluff.
No spam. Unsubscribe any time.